Open RFC Meeting (npm)

#### Meeting from: September 23rd, 2019 # Open RFC Meeting (npm) ### Attendees - Darcy Clarke (@darcyclarke) - Christian Siebmanns (@christian24) - Wes Todd (@wesleytodd) - Mark Dodgson (@doddi) - Nathan LaFreniere (@nlf) - Jordan Harband (@ljharb) - Ruy Adorno (@ruyadorno) ### Agenda 1. **Housekeeping** 1. Introduction(s) 1. [Code of Conduct Acknowledgement](https://www.npmjs.com/policies/conduct) 1. Outline Intentions & Desired Outcomes 1. Announcements 1. **PR**: [#235 Allow server generated header values](https://github.com/npm/rfcs/pull/235) - @doddi 1. **PR**: [#232 npm audit for a not yet installed package](https://github.com/npm/rfcs/pull/232) - @Christian24 1. **PR**: [#136 Add strictPeerDeps, override ERESOLVE if not true](https://github.com/npm/arborist/pull/136) - @isaacs 1. **Issue**: [#225 RRFC: Add support to plugin dependencies](https://github.com/npm/rfcs/issues/225) - @mshima 1. **Issue**: [#238 RRFC: Deprecating npx](https://github.com/npm/rfcs/issues/238) - @ruyadorno 1. **Issue**: [#155 RRFC: Deprecated packages: automatically display dependents](https://github.com/npm/rfcs/issues/155) - @dandv ### Notes 1. **PR**: [#235 Allow server generated header values](https://github.com/npm/rfcs/pull/235) - @doddi * @ljharb: Question, is there any use case beyond setting an app-id? * @ljharb: Seems like the scope of this is too broad * Keep open for now * Request feedback from community 1. **PR**: [#138 RFC: Add configurable data to HTTP header](https://github.com/npm/rfcs/pull/138) - @Mykyta * Updates made by @doddi to reflect feedback * Keep open for now * Expect to ratify if no pushback by next call 1. **PR**: [#232 npm audit for a not yet installed package](https://github.com/npm/rfcs/pull/232) - @Christian24 * @ruyadorno suggested opt-out * @ljharb notes we should try not to slow down `npm view` * @ruyadorno should consider where we want this information to live * @wesleytodd this solution doesn't seem to solve the problem of discovering what dependencies will have adisories in their tree * @wesleytodd sounds like there's two problems: get information about package's advisory before you instal it & after it's been installed * @ruyadorno this information should be on the website (npmjs.com) * @darcyclarke could change the name to try to be more specific about what is happening to `npm view` (ex. instead of `--audit` you could use `--`) * @darcyclarke sounds like we could/would have to support this through doing a dry run install/audit unless we made registry changes * Asking for feedback to be added in the comments themselves 1. **PR**: [#136 Add strictPeerDeps, override ERESOLVE if not true](https://github.com/npm/arborist/pull/136) - @isaacs * @ljharb we should break & evangelize change * @ljharb messaging/warning should be scary about breaking this in npm 8 * @ruyadorno ask for RRFC for printing warnings * @ljharb note: there was a lot of discussion about crashing/scrictness & no RRFC/RFC for changing this to resolving/warning * @wesleytodd we should be mindful of where warnings actually live/use-cases (ie. clogging up logs in CI)